Storage solutions like NetApp store a large amount of data and therefore can have a large volume of audit events. Change Guardian monitor changes to files and on the NetApp storage.
Change Guardian supports both CIFS (Common Internet File System) and NFS (Network File System) protocols for monitoring NetApp storage. You must use Security Agent for Unix 7.6 or later and also enable native auditing on the NetApp shares you want to monitor.
You can monitor and receive alerts for a variety of malicious behaviors that occur on a Network Attached Storage (NAS) device. For example, unauthorized user accessing confidential files and directories. You can also include or exclude certain files or from the audit scope to ensure a faster and more efficient audit process.
Complete the following tasks to monitor NetApp shares:
Task |
See |
---|---|
Complete the prerequisites |
|
Add a license key |
|
Configure NetApp native auditing |
|
Configure Change Guardian for NetApp monitoring |
Mounting the Audit Logs in CIFS |
Triage events |
You can triage events in the Change Guardian dashboard and the Administration Console. |
Ensure that you have completed the following:
Install the supported platforms and hardware. For more information, see Technical Information for Change Guardian 5.2.
The NetApp share is in Data ONTAP 9. 1 Cluster Mode.
Install Security Agent for UNIX.
NOTE:You should install Security Agent for UNIX on a dedicated system. This ensures that reading files from the agent system does not create file read events.
You must configure the NetApp native auditing solution to monitor file and directory events on your SVM with a FlexVol volume.
The security descriptor may contain Discretionary Access Control Lists (DACLs) for applying to file and folder access permissions or SACLs for file and folder auditing, or even both SACLs and DACLs.
For better performance, store the audit file on a separate volume.
NOTE:If you use the cat command to create and modify a file in quick succession, you might find a missing file modify event as NetApp reads and updates audit logs slower than Linux.
You can configure NetApp auditing by using one of the following ways:
You must create an auditing configuration on the given storage virtual machine (SVM) for CIFS, before you can monitor events on Windows systems. You can monitor these events over CIFS by setting SACLs (System Access Control List) on storage objects in NTFS or mixed mode volumes.
To configure auditing for CIFS:
Launch the Data ONTAP command-line interface.
Create audit configuration for an SVM by running the following command:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10
Example: When vserver name is SVM1, volume is vol1 and folder audit, then the command should be :
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration by running the following command: vserver audit show -vserver <Name_SVM>
For example, to verify audit configuration for SVM1, run the follwing command: vserver audit show -vserver SVM1
Vserver: SVM1 Auditing State: true Log Destination Path: /vol1 Categories of Events to Audit: file-ops, cifs-logon-logoff,audit-policy-change Log Format: xml Log File Size Limit: 100MB Log Rotation Schedule: Month: - Log Rotation Schedule: Day of Week: - Log Rotation Schedule: Day: - Log Rotation Schedule: Hour: - Log Rotation Schedule: Minute: - Rotation Schedules: - Log Files Rotation Limit: 0
Enable SVM auditing by running the following command: vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
You must create an auditing configuration on the given storage virtual machine (SVM) for NFS on an SVM to monitor events on Linux systems. Similarly, you can monitor these events over NFS by setting NFS 4.x ACLs (Access Control Lists) on UNIX or mixed mode volumes.
To configure auditing in NFS:
Launch the Data ONTAP command-line interface.
Create audit configuration for an SVM by running the following command:
vserver audit create -vserver <Name_SVM> -destination "/<Name_Volume>" -events file-ops -format xml -rotate-size XB -rotate-limit 10
Example: When vserver name is SVM1, volume is vol1 and folder audit, then the command should be :
vserver audit create -vserver SVM1 -destination /vol1/audit -events file-ops -format xml -rotate-size 1MB -rotate-limit 10
Verify audit configuration by running the following command: vserver audit show -vserver <Name_SVM>
For example, to verify audit configuration for SVM1, run the following command: vserver audit show –vserver SVM1
Vserver: SVM1 Auditing State: true Log Destination Path: /vol1 Categories of Events to Audit: file-ops, audit-policy-change Log Format: xml Log File Size Limit: 100MB Log Rotation Schedule: Month: - Log Rotation Schedule: Day of Week: - Log Rotation Schedule: Day: - Log Rotation Schedule: Hour: - Log Rotation Schedule: Minute: - Rotation Schedules: - Log Files Rotation Limit: 0
Enable SVM auditing by running the following command: vserver audit enable -vserver <Name_SVM>
Example:
vserver audit enable -vserver SVM1
To configure Security Agent for UNIX to monitor the NetApp FileSystem changes, enable ACL for NFS by running the following command: vserver nfs modify -vserver <name_SVM> -v4.0 enabled -v4.0-acl enabled
Example:
vserver nfs modify -vserver SVM1 -v4.0 enabled -v4.0-acl enabled
Verify nfs4-acl-tools is installed on the NFSv4 Linux host:
Run the mkdir <Folder_Name> command to create a mount directory.
Mount to the directory by running the following command: mount -t nfs4 <nas_SVMIP>:/<volume_name> <mount_path>
Example:
If SVM IP is x.x.x.x, volume name is vol1 and mount path is /mnt/folder1, run the following command: mount -t nfs4 x.x.x.x:/vol1 /mnt/folder1
To monitor each folder within a volume, add audit flags recursively on each of the in the mount directory that you need to monitor: nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <NFS_Share>
Example:
If a folder name in the volume is NFSShare, run the following command: nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo NFSShare
To monitor an entire volume, add audit flags recursively on the mount directory which contains the volume mounted: nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo <mount directory>
Example:
If the mount directory is /mnt/folder1, run the following command: nfs4_setfacl -R -a U:fdSF:EVERYONE@:rwaDdTNCo /mnt/folder1
Complete the NetApp audit configuration and mount the NetApp volumes into the Security Agent for Unix; one volume for audit logs and the other for CIFS or NFS shares to monitor.
Perform the following to configure the Change Guardian server:
Create a mount point in the Security Agent for Unix computer, enter the NetApp configuration details in /etc/fstab and mount the audit log and the NetApp volume that contains the CIFS share.
Create a mount directory.
Example:
mkdir /mnt/audit
Go to /usr/netiq/vsau/etc and create new file named cifs.
Update the cifs file as follows:
username=<user name>
password=<password>
domain=<domain name>
Change the permissions of this file to secure credentials in it using the following command:
chmod 600 cifs
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Example:
10.0.0.1:/vol1 /mnt/audit cifs ro,nouser,noexec,nosuid,credentials=/usr/netiq/vsau/etc/cifs 0 0
Mount the audit volume to the mount location: mount /mnt/audit
NOTE:You must have read permissions to read the audit file.
Create a mount point in the Security Agent for UNIX computer, enter the NetApp configuration details in /etc/fstab and mount the audit log and the NetApp volume over NFS.
Create a mount directory: mkdir /mnt/audit
Update the /etc/fstab in the following format:
<svm_ip>:/<volume> <mountlocation> nfs ro,nouser,noexec,nosuid 0 0
Example:
10.0.0.1:/vol1 /mnt/audit nfs ro,nouser,noexec,nosuid 0 0
Mount the audit volume to the mount location: mkdir /mnt/audit
NOTE:You must make changes to /etc/fstab and mount the volume with the NetApp share following the sequence of steps above.
Complete the following steps in Security Agent for UNIX:
Go to /usr/netiq/vsau/etc and create new file named netapp-volume-tab.
Update the netapp-volume-tab file in the following format: SVM_IP_address, share, mount_directory, volume
Example:
If SVM IP is x.x.x.x, share name is vol1, mount directory is /mnt/audit, volume name is vol1, then specify the command as follows:x.x.x.x,/vol1,/mnt/audit,vol1
NOTE:When you monitor an entire volume, you must update the NetApp volume tab as x.x.x.x,/vol1,/mnt/audit,vol1
Create policies to monitor creating, deleting, renaming, and changing permission on NetApp files and directories.
NOTE:Specify the /folder_name that you want to monitor in the directory field of the policy definition. If you want to monitor at the SVM level, then just use /instead of the folder name.
For information, see Creating Change Guardian Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.